An Overview of OpenBSD Security

08/08/2000

OpenBSD is often noted for its code auditing and integrated crypto, but the security features go far beyond this. OpenBSD was built from the ground up on the model of being a fabric woven with security in mind, not a patchwork of bug fixes and security updates. This has led to OpenBSD finally being recognized today for what it is: the most secure operating system on earth. This article aims to illustrate these features and provide practical examples of their
implication on production machines.

Encryption

One of the most astounding things about the information superhighway is the number of people driving down it with their doors unlocked. Users and even administrators still commonly employ systems where sensitive information such as financial records and personal details are thrown over public networks as clear text. This is largely due to the proliferation of cleartext protocols such as telnet, rlogin, and http. OpenBSD solves these issues by containing encrypted replacements by default: OpenSSH for telnet and rlogin and https (OpenSSL). One of the first configuration tasks for an OpenBSD administrator should be the correct setup of ssh and ssl to ensure system security. OpenSSH is configured via two primary configuration files; some useful excerpts of those files follow:

/etc/ssh_config (OpenSSH client configuration):

UseRsh no
FallBackToRsh no
# OpenSSH will never fall back
# to the cleartext RSH protocol.
ForwardX11 no
# Do not allow X windows forwarding
# through the SSH session.

/etc/sshd_config (OpenSSH server configuration):

Port 22
ListenAddress 0.0.0.0
# Listen on all active interfaces
HostKey /etc/ssh_host_key
# Store the key in the default location
ServerKeyBits 1664
# Generate a 1664 bit key (stronger
# crypto than by default)
LoginGraceTime 600
# Allow 600 seconds for a client to login
KeyRegenerationInterval 3600
# Generate a new key every 3600
# seconds (hourly)
PermitRootLogin no
# Do not allow clients to login directly as
# root, must use su
X11Forwarding no
# Do not allow X windows forwarding through
# the SSH session.
PermitEmptyPasswords no
# A password MUST be issued - no passwordless
# logins allowed.

With SSH configured using these or similar options, the next step in enabling OpenBSD crypto is to set up OpenSSL-based https. This is a good replacement to cleartext http when sensitive information is being parsed through CGI POSTs or
similar methods. The official documentation for mod_ssl (located by default in /var/www/htdocs/manual/mod/mod_ssl/ on OpenBSD systems) provides more detailed configuration information, but the process is three relatively simple steps:

1. Generate a server key and self-signed x.509 certificate:

Generate a server.key:openssl genrsa -des3 -out server.key 1024
Place this file in /etc/ssl